Registry Monitor comparison

Negative, Graphic. Just disappears.

 

Does TDS-3 close all system tray apps that are not on its "approved" list, when it starts up?

 

Great thread. I am giving Registry Watcher a try. I can not find a way to add or remove what registry keys it monitors. I see it refers to a text file C:\Program files\MJ Regwatch.txt in the menu bar of the application. But this txt file does not exist anywhere on my pc. I have even done a search for it using the windows search function. Maybe there is an incompatibilty with the OS i use Windows ME.

muf

 

I use WinME, too. (sob)

RegWatch comes pre-configured with all the items recommended by hojtsy. To add to or delete from that list...

1) Right-click RegWatcher's padlock icon in your system tray.

2) Click "Show Window"

3) RegWatcher's window will appear. It has 3 horizontal panels. The current list of registry items that RegWatcher monitors is in the TOP panel. You may edit the entries in this panel as you wish. When you are finished editing, press the "Save keys" button which is located in the upper right corner of RegWatcher's window. The first time you do so will cause RegWatcher to CREATE a text file named MJRegWatchKeys.Txt in the same file folder where RegWatcher is located.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you prefer NOT to edit in RegWatcher's window until AFTER you have created a back-up file, here is how to make such a file. NOTE: You need only do this ONCE, right after installing RegWatcher...

a) With your cursor in the TOP panel of RegWatcher's window, hit your space bar then hit your back space. This non-change will activate the "Save keys" button in the upper right corner of RegWatcher's window.

b) Then click the "Save keys" button & RegWatcher will CREATE a text file named MJRegWatchKeys.Txt in the same file folder where RegWatcher is located.

c) Then you can readily back-up that file -- *just in case.*

aloha..... bellgamin

 

Ahh right got it now thanks bellgamin. I was thinking that there was a txt file that you had to edit. Didn't realise it was as simple as just copy and paste into the top window and save. Now i can give it a proper testing.

Cheers for that.
muf

 

Hello again, GE.

I was not aware of an "approved" list. But in any case. RegWatcher is the only app that it closes. At times it might stay open for a few minutes. Other times it closes rather soon. I started TDS earlier today for a scan, and RW closed right away. But since I closed TDS and restarted RW, it's working fine as usual.

Regarding your other questions...

I also have this value, in addition to two others, both related to DCS products (Wormguard and TDS3)

Yes, I have all four of these.

And Yes, both of these as well.

 

I believe TDS also closes Filemon and Regmon if they are running.....a self protection thing I would imagine - stops script kiddies and such seeing what it is accessing - at least I think so .

Regards,
Jade.

 

Hi,

about the registry poller, I think it use more ressources (even if unnoticed) to poll many registry keys as a whole, than simply to wait for a registry write attempt and to block it if it is write to a protected area (what a driver can do, what ProcessGuard could do).

A poller is always a "homemade" workable solution, but a real interception (a real block) sounds better to me

Anyway in the meatime I am myself using a registry poller (from DCS).

regards,

gkweb.

 

If you're worried about those things, then take a look at http://www.firewallleaktester.com/tests.htm

Attacks like Copycat are not blocked by any of the major firewalls, as at October 13th this year! Now that's worrying...

One of the attacks uses code injection techniques, and I was astonished to find in my copy of the MFC help file, functions called WriteProcessMemory and CreateRemoteThread, that enabled this hacking technique. When Microsoft allows this kind of functionality in their OS, no wonder it's a security nightmare!

Regards,
Graphic

 

Here is some more interesting information from GKweb with regards to ProcessGuard and leaktests:

Thanks GK
existing leaktests blocked after they are allowed to run (6) :
FireHole, PCAuditv1, PCAuditv2, AWFT 3.1, Thermite, CopyCat

leaktests blockable only by denying them the right to launch ( :
WallBreaker, MBtest, Yalta, LeakTest, ToolLeaky, Ghost, DNStester, Surfer

AWFT, 6 tests : ProcessGuard blocked them all.

Pilli

 

Hi,

I have also highlighted recently that Microsoft was providing APIs to hack other processes/programs, the core OS is so not very secure as you can see if it helps the trojans.
However, ProcessGuard offers the possibility to block such code injection

That's why I recommend it on my site :
http://www.firewallleaktester.com/software.htm

ProcessGuard v3.0 final should be released very soon (in few hours).

regards,

gkweb.

 

MJ Registry Watcher or Tea Timer? Which would be your choice if you had to pick one? How do they differ?

 

I use both. RW allows you to select which keys are monitored - much more powerful IMO.

 

Hello Graphic

Just upgaded to PG3 today, and that fine app confirmed a conflict with TDS-3 and RW, which I had suspected. Not sure why TDS-3 doesn't like your app. See this thread.

 

RW has 2 additional folders; combak and usrbak. What are they for? I have Task Manager and Spywareguard in the startup folder. Combak has Task Manager in that folder and usrbak has Spywareguard in it. Was wondering what was happening there. I also notice that you can't restart the computer if RW is running. You have to close RW first. It does seem to alert the same time as Tea Timer, although I've only had RW for a couple of days.

 

The directories usrbak and combak off of RW's installation directory are used to store the copies of the files (usually small .lnk files) that are resident in the user and common startup folders. The user one is accessible by pressing Start, All Programs, Startup, where you can see what the .lnk files point at iconically. It uses these to restore any changes that may be made to these startup directory items by trojans and the like.

The keys are stored in memory when the program starts up, and a fresh copy of the .lnk files is made too. The program should wipe these backup entries out when closed, but sometimes Windows is fickle as to whether the files involved are "in use" or not.

The restart problem (or even shut down) is something I'm looking into at the moment (after this cup of tea first though!). Any suggestions as to correctly handle a system request to close, as opposed to a user request, would be much appreciated.

Thanks,
Graphic

 

Hi GE, Regarding the possible problem with TDS3 it may be worth emailing DCS as they are usually more than willing to talk to other developers
Goog luck with your program

Pilli

 

Just did that, and mentioned that you and Daisey were interested too.

Graphic

 

Well done, they usually respond very quickly

 

I have just put a new version of RegWatcher up that does not prompt to exit the program. Nothing else has changed. This "feature" was causing problems when the user shut down or rebooted the PC while RegWatcher was running. The new version does not ask, and just closes. The only way to close it manually is to use the window decorations. I think some people may think that to return RegWatcher to the tray, you can press either Close or Minimize, but only Minimize will work: Close will exit RegWatcher. Thanks again,

Graphic

 

For registry watching MJ is better, in many things. But TeaTimer has other functionality too: It watches for running spywares, and kills them. A very unfortunate thing is that TeaTimer can not be configured to do only the spyware-watching and disable the registry watching. (Please please implement this option in TeaTimer.) Running two poller registry monitors can be very confusing, and should only be done by advanced users. Thus to maximize your protection use a separate full-featured registry monitor (MJ, SSM or Regrun), and a separate spyware-killer (TDS, BoClean, Giant, etc). If you just want medium protection for free use TeaTimer, which does both, but with limited efficiency. I told the author of TeaTimer ages ago about increasing monitored key list, but he does not seem to care.
-hojtsy-

 

Hi hotjsy,

Would you know whether Giant AS covers the registry entries that you recommend. I have a full licensed version running alongside Ewido. Thanks for the help.

Rich

 

Registry reads most often come from memory cache and thus quite fast operation. You can poll several keys every second withouth noticable time consumption. But an interceptor should process and filter all registry write operations, so I think it is possible that an interceptor would be more resource consuming. However it could not be a dramatic performace hit because Process Guard is already a registry interceptor (too), and does not eat much CPU.
From the safety point of view an interceptor is clearly the better.

I should check that. I am not even sure it is a poller. Hmm if anybody could run Sysinternals Registry Monitor during Giant running, it would list the polled keys.
-hojtsy-

 

hotjsy,

I'm currently running Spywareblaster, Spywareguard, BOClean, MJ, WinPatrol, ZA free and NAV2005. Am I pretty well covered? I'm also running S&D Tea Timer and SD Helper. Are you recommending I disable those since I'm running MJ?

 

I updated post #1. Go, and see statistics of MJ.

Hi,

Do not disable SD Helper, and TeaTimer. They are cheap protection layer eating minimal resources. I don't know if you can disable registry monitoring in WinPatrol: If it is possible I advise so, to avoid confusing situations with 3 different registry monitors popping up for a single change. If you have the time I suggest to remove those keys from MJ which are also watched by TeaTimer (see table in post 1), this way some keys will alert TeaTimer only, more exotic ones will alert MJ only. A weak point in your setup seems to be that you are not protected from process injection and termination tricks employed by malwares. For this I suggest to do one of these
1) replace ZA with Outpost 2.5, Tiny 6.0, LooknStop or the free Kerio 4.
2) use DiamondCS Process Guard, or SSM, or other sandboxes

I have an expired trial of Giant. (note that I wanted to purchase but they do not accept "push" bank tranfers) This expired trial claims that definition updates will not be downloaded, but real-time protection is active. Sysinternals Registry Monitor show polling of several registry keys every few seconds. Approx half of the autostart keys on the Big List is polled. I noticed that even though there are separate "checkpoints" protecting AppInit_dll and ShellServiceObjectDelayLoad, these registry keys are NOT polled. I started to experiment with first modifying AppInit_dll, and later the well-known Run key, but Giant kept silent. No alert, no logs, no popup dialogs, the changes were just permitted. Is this because of the expired trial?!? I do not know. But it is strange anyway that it is polling several autostart locations, and do not poll others which are clearly indicated on the GUI as being protected too.
-hojtsy-